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RleWrite 
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RIe Restore . 
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bytesflead > 0. bytesWritten = 0 
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Print 

CO 
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Machine 
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CDRead 
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ClipooardCutCopy 
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PrintEvent 
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operationType 
operationType 
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Paste 
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Logoff 


Skio the Machine events. 
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Process 
Process 


(Implied) 
f Imoited) 




Use processStartOtTm 
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Event Name 


Constituent Event Types 


Pattern 


Scope 


RieEdited 


RieRead. RleWrite, RleReadWrite 


Same processld and ffleHandle. 

beforeHash of first read & afterHash of last wnte differ. 

Both reads and writes to same fileHandle. 

Sum of writes > 0. 


Thread 


RleCopied 


RieRoad. RleWrite. RleReadWrite, 
RleCopy 


Command shell: Alternating reads & writes. The reads all have one 
ftlehandie, the writes all have a second one. 

Explorer A long series of reads from one filehandle followed by a 
long series of writes to a second. Mind the time period between. 

In both cases, the target device must not be removable. 


Thread 


RIeSaveAs 


RieRead. RleWrite. RleReadWrite 




Process 


RleLeftThroughRernovableMedia 


RieRead, RleWrite. RleReadWrite, 
RIeCopy 


Same as RleCopied or RieSaveAs. but target device is removable. 


Process 


ClipboardToRle 


CHpooardCutCopy. ClipboardPaste 


Pair a ClipboardCutCopy with ail subseauent ClipboardPaste 
events lor that user login until the next cooy or the user logs out. 

Problem: If the user closes the application that performed the copy 
and the object was large and the user opts not to keeo it there, 
what happens? 


Login 


PrintRie 


Print, possibly others 


Unclear. If there are temp fifes, intermediate PDF files, etc, then we 
may perform a chain of custody analysis to figure out just wnat was 
printed. 


Thread 


SumMaster 


ptierieaQ, riiewnie 


An app known to bum files reads one or more files rhien wntes a 
file. 


Process 


BumRIe 


COW rite. RieRead 


Application is recognized as a CO writing aop. (Optional) 

Series of RleReads from one fileHandle. followed by a series of 
COW rite events with the same process. May need to compare 
filenames, otherwise one read will exhaust all the writes. 
Alternately, all read files are lumped together with one large bum 
event. Or perhaps the -first read of a new- file -after the last- re ad from 
the previous file is the start of the next bum event. 


Process 


RIeLeftThroughNetworkPort 


RieRead. 

TCPIPlnbound. TCPIPOutbound, 
UDPInbound. UDPOuEbound, 
IPSECInbound. IPSECOutbound 


An overlapping stream of RieReads interspersed with inbound and 
Outbound network events. 

All the network events should be for the same port (?) and to a 
destination NOT on localhost. 

All the network avents should be for the same protocol. 


Thread 
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Evwt Name 


Constituent Event Type* 


P attain 


Scope 


Email Fie 


RleRead. 

TCPlPtnbound. TCPtPOuttoound. 
(other protocols???) 


Similar to RieLaftThraughNetworkPort Combines all intartaaving 
Rlefleads with the network events. 

The application image name is one of those known to be an email 
program. 

May place constraints on the ports, since many emailers usa 
certain well defined ports for SMTP. POP ate. 


Process 


InstantMessenger 


RleRead. 

TCPIPfnoound. TCPIPOutbound. 
(other protocols???) 


Similar to RleLeftThraughNetworkPort. Combines all interleaving 
RleReads with the network events. 

The application image name is one of those known to be used for 
Instant Messenger. 

May place constraints on the ports. 


Process 


P2PApp 


RleRead. 

TCPIP Inbound. TCPIPOutbound, 
UDPInbound, UDPOulbound. 
1PSEC Inbound. IPSECOutoound 


P2PApp. 

Multiple ports will be used; some or ail of them may have 
con sr r*3 j nr s * 

May constrain the protocol per app or per instance. 

Similar to RleLeftThroughNerworkPort as concerns interleaved file 


Process 


FTPRIe 


RleRead, RIeWrite. 
??? (TCPIPtnbound. 
TCPIPOutbound) 


May want to split into two events, one for reading and one for 
writing. 

■Constrain to the common FTP port, unless the app is known by 
name to be an FTP client. 

Like RleLaftThroughNetworkPort. look for interleaved reads and 
network events, or interleaved writes and network events. 


Process 


RemoteAccass 


TCPIPtnbound, TCPIPOutbound, 

f mPlnhound LlDPOutDOund 

IPSHCInoound, IPSECOutoound 


Oo not incorporate RleRead events. 

Several pons may be used. 

Look for known image names of remote apps. 


Process 


TunneiOut 

- 


TCPIPInbounaV TCPIPOutbound, 
UOPfnbound. UDPOutoound, 
iPSECInbound. IPSECOutoound 


All events use same protocol. Only two processes used. 

Two different apps and four ports are used. One of the ports is 

remote. 

Event 1 : The first app sends outbound from local port 1 to local port 
2. 

Event Z The second app (the tunneler) receives inbound from local 
port 1 to local port 2. 

Event 3: The tunneler also sends from local port 3 to remote port 4. 
Both events of the tunneler share the same thread (probably). 


. Login 


Tunned In 


TCPIPtnbound. TCPIPOutbound. 
UDPInbound, UDPOutbound. 
IPSECInbound. IPSECOutoound 


All events use same protocol. Only two orocesses used. 

Two different apps and four ports are used. One of trie ports is. 

remote. 

Event 1 : The first app (the tunneler) receives inbound from remote 
port 1 to local port 2. 

Stem 2: The tunneler sends outbound from local port 2 to local 
port 3. 

Event 3: The second app also receives inbound from locaJ port 3 to 
local port 

Both events of the tunneler share the same thread (probably). 


Login 


TunnellnOut 


TCPIP Inbound. TCPIPOutoound. 
UDPInbound. UDPOutoound, 
IPSECInbound, tPSECOutbound 


Multiple protocols may be used. More research needed. Mora than 
three pons are used. 


Login 
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Event Mama 


Constituent Event Typos 


PuUuff'ii 


Scope 


RleiaftThrougnTunnei 


Reflead. TunneiOut 


Similar to ReLaftTTiroughNetworkPort. Comoines ail interleaving 
Refleads involving a process that is participating in a TunnetOut 
avert 

If more than one file is read, trie source destination will be a count 
of the files read. 


Login? 
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